|
cannam@49
|
1 // Copyright (c) 2013-2014 Sandstorm Development Group, Inc. and contributors
|
|
cannam@49
|
2 // Licensed under the MIT License:
|
|
cannam@49
|
3 //
|
|
cannam@49
|
4 // Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
cannam@49
|
5 // of this software and associated documentation files (the "Software"), to deal
|
|
cannam@49
|
6 // in the Software without restriction, including without limitation the rights
|
|
cannam@49
|
7 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
cannam@49
|
8 // copies of the Software, and to permit persons to whom the Software is
|
|
cannam@49
|
9 // furnished to do so, subject to the following conditions:
|
|
cannam@49
|
10 //
|
|
cannam@49
|
11 // The above copyright notice and this permission notice shall be included in
|
|
cannam@49
|
12 // all copies or substantial portions of the Software.
|
|
cannam@49
|
13 //
|
|
cannam@49
|
14 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
cannam@49
|
15 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
cannam@49
|
16 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
cannam@49
|
17 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
cannam@49
|
18 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
cannam@49
|
19 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
cannam@49
|
20 // THE SOFTWARE.
|
|
cannam@49
|
21
|
|
cannam@49
|
22 #ifndef CAPNP_ARENA_H_
|
|
cannam@49
|
23 #define CAPNP_ARENA_H_
|
|
cannam@49
|
24
|
|
cannam@49
|
25 #if defined(__GNUC__) && !defined(CAPNP_HEADER_WARNINGS)
|
|
cannam@49
|
26 #pragma GCC system_header
|
|
cannam@49
|
27 #endif
|
|
cannam@49
|
28
|
|
cannam@49
|
29 #ifndef CAPNP_PRIVATE
|
|
cannam@49
|
30 #error "This header is only meant to be included by Cap'n Proto's own source code."
|
|
cannam@49
|
31 #endif
|
|
cannam@49
|
32
|
|
cannam@49
|
33 #include <kj/common.h>
|
|
cannam@49
|
34 #include <kj/mutex.h>
|
|
cannam@49
|
35 #include <kj/exception.h>
|
|
cannam@49
|
36 #include <kj/vector.h>
|
|
cannam@49
|
37 #include "common.h"
|
|
cannam@49
|
38 #include "message.h"
|
|
cannam@49
|
39 #include "layout.h"
|
|
cannam@49
|
40 #include <unordered_map>
|
|
cannam@49
|
41
|
|
cannam@49
|
42 #if !CAPNP_LITE
|
|
cannam@49
|
43 #include "capability.h"
|
|
cannam@49
|
44 #endif // !CAPNP_LITE
|
|
cannam@49
|
45
|
|
cannam@49
|
46 namespace capnp {
|
|
cannam@49
|
47
|
|
cannam@49
|
48 #if !CAPNP_LITE
|
|
cannam@49
|
49 class ClientHook;
|
|
cannam@49
|
50 #endif // !CAPNP_LITE
|
|
cannam@49
|
51
|
|
cannam@49
|
52 namespace _ { // private
|
|
cannam@49
|
53
|
|
cannam@49
|
54 class SegmentReader;
|
|
cannam@49
|
55 class SegmentBuilder;
|
|
cannam@49
|
56 class Arena;
|
|
cannam@49
|
57 class BuilderArena;
|
|
cannam@49
|
58 class ReadLimiter;
|
|
cannam@49
|
59
|
|
cannam@49
|
60 class Segment;
|
|
cannam@49
|
61 typedef kj::Id<uint32_t, Segment> SegmentId;
|
|
cannam@49
|
62
|
|
cannam@49
|
63 class ReadLimiter {
|
|
cannam@49
|
64 // Used to keep track of how much data has been processed from a message, and cut off further
|
|
cannam@49
|
65 // processing if and when a particular limit is reached. This is primarily intended to guard
|
|
cannam@49
|
66 // against maliciously-crafted messages which contain cycles or overlapping structures. Cycles
|
|
cannam@49
|
67 // and overlapping are not permitted by the Cap'n Proto format because in many cases they could
|
|
cannam@49
|
68 // be used to craft a deceptively small message which could consume excessive server resources to
|
|
cannam@49
|
69 // process, perhaps even sending it into an infinite loop. Actually detecting overlaps would be
|
|
cannam@49
|
70 // time-consuming, so instead we just keep track of how many words worth of data structures the
|
|
cannam@49
|
71 // receiver has actually dereferenced and error out if this gets too high.
|
|
cannam@49
|
72 //
|
|
cannam@49
|
73 // This counting takes place as you call getters (for non-primitive values) on the message
|
|
cannam@49
|
74 // readers. If you call the same getter twice, the data it returns may be double-counted. This
|
|
cannam@49
|
75 // should not be a big deal in most cases -- just set the read limit high enough that it will
|
|
cannam@49
|
76 // only trigger in unreasonable cases.
|
|
cannam@49
|
77 //
|
|
cannam@49
|
78 // This class is "safe" to use from multiple threads for its intended use case. Threads may
|
|
cannam@49
|
79 // overwrite each others' changes to the counter, but this is OK because it only means that the
|
|
cannam@49
|
80 // limit is enforced a bit less strictly -- it will still kick in eventually.
|
|
cannam@49
|
81
|
|
cannam@49
|
82 public:
|
|
cannam@49
|
83 inline explicit ReadLimiter(); // No limit.
|
|
cannam@49
|
84 inline explicit ReadLimiter(WordCount64 limit); // Limit to the given number of words.
|
|
cannam@49
|
85
|
|
cannam@49
|
86 inline void reset(WordCount64 limit);
|
|
cannam@49
|
87
|
|
cannam@49
|
88 KJ_ALWAYS_INLINE(bool canRead(WordCount amount, Arena* arena));
|
|
cannam@49
|
89
|
|
cannam@49
|
90 void unread(WordCount64 amount);
|
|
cannam@49
|
91 // Adds back some words to the limit. Useful when the caller knows they are double-reading
|
|
cannam@49
|
92 // some data.
|
|
cannam@49
|
93
|
|
cannam@49
|
94 private:
|
|
cannam@49
|
95 volatile uint64_t limit;
|
|
cannam@49
|
96 // Current limit, decremented each time catRead() is called. Volatile because multiple threads
|
|
cannam@49
|
97 // could be trying to modify it at once. (This is not real thread-safety, but good enough for
|
|
cannam@49
|
98 // the purpose of this class. See class comment.)
|
|
cannam@49
|
99
|
|
cannam@49
|
100 KJ_DISALLOW_COPY(ReadLimiter);
|
|
cannam@49
|
101 };
|
|
cannam@49
|
102
|
|
cannam@49
|
103 #if !CAPNP_LITE
|
|
cannam@49
|
104 class BrokenCapFactory {
|
|
cannam@49
|
105 // Callback for constructing broken caps. We use this so that we can avoid arena.c++ having a
|
|
cannam@49
|
106 // link-time dependency on capability code that lives in libcapnp-rpc.
|
|
cannam@49
|
107
|
|
cannam@49
|
108 public:
|
|
cannam@49
|
109 virtual kj::Own<ClientHook> newBrokenCap(kj::StringPtr description) = 0;
|
|
cannam@49
|
110 virtual kj::Own<ClientHook> newNullCap() = 0;
|
|
cannam@49
|
111 };
|
|
cannam@49
|
112 #endif // !CAPNP_LITE
|
|
cannam@49
|
113
|
|
cannam@49
|
114 class SegmentReader {
|
|
cannam@49
|
115 public:
|
|
cannam@49
|
116 inline SegmentReader(Arena* arena, SegmentId id, kj::ArrayPtr<const word> ptr,
|
|
cannam@49
|
117 ReadLimiter* readLimiter);
|
|
cannam@49
|
118
|
|
cannam@49
|
119 KJ_ALWAYS_INLINE(bool containsInterval(const void* from, const void* to));
|
|
cannam@49
|
120
|
|
cannam@49
|
121 KJ_ALWAYS_INLINE(bool amplifiedRead(WordCount virtualAmount));
|
|
cannam@49
|
122 // Indicates that the reader should pretend that `virtualAmount` additional data was read even
|
|
cannam@49
|
123 // though no actual pointer was traversed. This is used e.g. when reading a struct list pointer
|
|
cannam@49
|
124 // where the element sizes are zero -- the sender could set the list size arbitrarily high and
|
|
cannam@49
|
125 // cause the receiver to iterate over this list even though the message itself is small, so we
|
|
cannam@49
|
126 // need to defend against DoS attacks based on this.
|
|
cannam@49
|
127
|
|
cannam@49
|
128 inline Arena* getArena();
|
|
cannam@49
|
129 inline SegmentId getSegmentId();
|
|
cannam@49
|
130
|
|
cannam@49
|
131 inline const word* getStartPtr();
|
|
cannam@49
|
132 inline WordCount getOffsetTo(const word* ptr);
|
|
cannam@49
|
133 inline WordCount getSize();
|
|
cannam@49
|
134
|
|
cannam@49
|
135 inline kj::ArrayPtr<const word> getArray();
|
|
cannam@49
|
136
|
|
cannam@49
|
137 inline void unread(WordCount64 amount);
|
|
cannam@49
|
138 // Add back some words to the ReadLimiter.
|
|
cannam@49
|
139
|
|
cannam@49
|
140 private:
|
|
cannam@49
|
141 Arena* arena;
|
|
cannam@49
|
142 SegmentId id;
|
|
cannam@49
|
143 kj::ArrayPtr<const word> ptr;
|
|
cannam@49
|
144 ReadLimiter* readLimiter;
|
|
cannam@49
|
145
|
|
cannam@49
|
146 KJ_DISALLOW_COPY(SegmentReader);
|
|
cannam@49
|
147
|
|
cannam@49
|
148 friend class SegmentBuilder;
|
|
cannam@49
|
149 };
|
|
cannam@49
|
150
|
|
cannam@49
|
151 class SegmentBuilder: public SegmentReader {
|
|
cannam@49
|
152 public:
|
|
cannam@49
|
153 inline SegmentBuilder(BuilderArena* arena, SegmentId id, kj::ArrayPtr<word> ptr,
|
|
cannam@49
|
154 ReadLimiter* readLimiter, size_t wordsUsed = 0);
|
|
cannam@49
|
155 inline SegmentBuilder(BuilderArena* arena, SegmentId id, kj::ArrayPtr<const word> ptr,
|
|
cannam@49
|
156 ReadLimiter* readLimiter);
|
|
cannam@49
|
157 inline SegmentBuilder(BuilderArena* arena, SegmentId id, decltype(nullptr),
|
|
cannam@49
|
158 ReadLimiter* readLimiter);
|
|
cannam@49
|
159
|
|
cannam@49
|
160 KJ_ALWAYS_INLINE(word* allocate(WordCount amount));
|
|
cannam@49
|
161
|
|
cannam@49
|
162 KJ_ALWAYS_INLINE(void checkWritable());
|
|
cannam@49
|
163 // Throw an exception if the segment is read-only (meaning it is a reference to external data).
|
|
cannam@49
|
164
|
|
cannam@49
|
165 KJ_ALWAYS_INLINE(word* getPtrUnchecked(WordCount offset));
|
|
cannam@49
|
166 // Get a writable pointer into the segment. Throws an exception if the segment is read-only (i.e.
|
|
cannam@49
|
167 // a reference to external immutable data).
|
|
cannam@49
|
168
|
|
cannam@49
|
169 inline BuilderArena* getArena();
|
|
cannam@49
|
170
|
|
cannam@49
|
171 inline kj::ArrayPtr<const word> currentlyAllocated();
|
|
cannam@49
|
172
|
|
cannam@49
|
173 inline void reset();
|
|
cannam@49
|
174
|
|
cannam@49
|
175 inline bool isWritable() { return !readOnly; }
|
|
cannam@49
|
176
|
|
cannam@49
|
177 inline void tryTruncate(word* from, word* to);
|
|
cannam@49
|
178 // If `from` points just past the current end of the segment, then move the end back to `to`.
|
|
cannam@49
|
179 // Otherwise, do nothing.
|
|
cannam@49
|
180
|
|
cannam@49
|
181 inline bool tryExtend(word* from, word* to);
|
|
cannam@49
|
182 // If `from` points just past the current end of the segment, and `to` is within the segment
|
|
cannam@49
|
183 // boundaries, then move the end up to `to` and return true. Otherwise, do nothing and return
|
|
cannam@49
|
184 // false.
|
|
cannam@49
|
185
|
|
cannam@49
|
186 private:
|
|
cannam@49
|
187 word* pos;
|
|
cannam@49
|
188 // Pointer to a pointer to the current end point of the segment, i.e. the location where the
|
|
cannam@49
|
189 // next object should be allocated.
|
|
cannam@49
|
190
|
|
cannam@49
|
191 bool readOnly;
|
|
cannam@49
|
192
|
|
cannam@49
|
193 void throwNotWritable();
|
|
cannam@49
|
194
|
|
cannam@49
|
195 KJ_DISALLOW_COPY(SegmentBuilder);
|
|
cannam@49
|
196 };
|
|
cannam@49
|
197
|
|
cannam@49
|
198 class Arena {
|
|
cannam@49
|
199 public:
|
|
cannam@49
|
200 virtual ~Arena() noexcept(false);
|
|
cannam@49
|
201
|
|
cannam@49
|
202 virtual SegmentReader* tryGetSegment(SegmentId id) = 0;
|
|
cannam@49
|
203 // Gets the segment with the given ID, or return nullptr if no such segment exists.
|
|
cannam@49
|
204
|
|
cannam@49
|
205 virtual void reportReadLimitReached() = 0;
|
|
cannam@49
|
206 // Called to report that the read limit has been reached. See ReadLimiter, below. This invokes
|
|
cannam@49
|
207 // the VALIDATE_INPUT() macro which may throw an exception; if it returns normally, the caller
|
|
cannam@49
|
208 // will need to continue with default values.
|
|
cannam@49
|
209 };
|
|
cannam@49
|
210
|
|
cannam@49
|
211 class ReaderArena final: public Arena {
|
|
cannam@49
|
212 public:
|
|
cannam@49
|
213 ReaderArena(MessageReader* message);
|
|
cannam@49
|
214 ~ReaderArena() noexcept(false);
|
|
cannam@49
|
215 KJ_DISALLOW_COPY(ReaderArena);
|
|
cannam@49
|
216
|
|
cannam@49
|
217 // implements Arena ------------------------------------------------
|
|
cannam@49
|
218 SegmentReader* tryGetSegment(SegmentId id) override;
|
|
cannam@49
|
219 void reportReadLimitReached() override;
|
|
cannam@49
|
220
|
|
cannam@49
|
221 private:
|
|
cannam@49
|
222 MessageReader* message;
|
|
cannam@49
|
223 ReadLimiter readLimiter;
|
|
cannam@49
|
224
|
|
cannam@49
|
225 // Optimize for single-segment messages so that small messages are handled quickly.
|
|
cannam@49
|
226 SegmentReader segment0;
|
|
cannam@49
|
227
|
|
cannam@49
|
228 typedef std::unordered_map<uint, kj::Own<SegmentReader>> SegmentMap;
|
|
cannam@49
|
229 kj::MutexGuarded<kj::Maybe<kj::Own<SegmentMap>>> moreSegments;
|
|
cannam@49
|
230 // We need to mutex-guard the segment map because we lazily initialize segments when they are
|
|
cannam@49
|
231 // first requested, but a Reader is allowed to be used concurrently in multiple threads. Luckily
|
|
cannam@49
|
232 // this only applies to large messages.
|
|
cannam@49
|
233 //
|
|
cannam@49
|
234 // TODO(perf): Thread-local thing instead? Some kind of lockless map? Or do sharing of data
|
|
cannam@49
|
235 // in a different way, where you have to construct a new MessageReader in each thread (but
|
|
cannam@49
|
236 // possibly backed by the same data)?
|
|
cannam@49
|
237 };
|
|
cannam@49
|
238
|
|
cannam@49
|
239 class BuilderArena final: public Arena {
|
|
cannam@49
|
240 // A BuilderArena that does not allow the injection of capabilities.
|
|
cannam@49
|
241
|
|
cannam@49
|
242 public:
|
|
cannam@49
|
243 explicit BuilderArena(MessageBuilder* message);
|
|
cannam@49
|
244 BuilderArena(MessageBuilder* message, kj::ArrayPtr<MessageBuilder::SegmentInit> segments);
|
|
cannam@49
|
245 ~BuilderArena() noexcept(false);
|
|
cannam@49
|
246 KJ_DISALLOW_COPY(BuilderArena);
|
|
cannam@49
|
247
|
|
cannam@49
|
248 inline SegmentBuilder* getRootSegment() { return &segment0; }
|
|
cannam@49
|
249
|
|
cannam@49
|
250 kj::ArrayPtr<const kj::ArrayPtr<const word>> getSegmentsForOutput();
|
|
cannam@49
|
251 // Get an array of all the segments, suitable for writing out. This only returns the allocated
|
|
cannam@49
|
252 // portion of each segment, whereas tryGetSegment() returns something that includes
|
|
cannam@49
|
253 // not-yet-allocated space.
|
|
cannam@49
|
254
|
|
cannam@49
|
255 inline CapTableBuilder* getLocalCapTable() {
|
|
cannam@49
|
256 // Return a CapTableBuilder that merely implements local loopback. That is, you can set
|
|
cannam@49
|
257 // capabilities, then read the same capabilities back, but there is no intent ever to transmit
|
|
cannam@49
|
258 // these capabilities. A MessageBuilder that isn't imbued with some other CapTable uses this
|
|
cannam@49
|
259 // by default.
|
|
cannam@49
|
260 //
|
|
cannam@49
|
261 // TODO(cleanup): It's sort of a hack that this exists. In theory, perhaps, unimbued
|
|
cannam@49
|
262 // MessageBuilders should throw exceptions on any attempt to access capability fields, like
|
|
cannam@49
|
263 // unimbued MessageReaders do. However, lots of code exists which uses MallocMessageBuilder
|
|
cannam@49
|
264 // as a temporary holder for data to be copied in and out (without being serialized), and it
|
|
cannam@49
|
265 // is expected that such data can include capabilities, which is admittedly reasonable.
|
|
cannam@49
|
266 // Therefore, all MessageBuilders must have a cap table by default. Arguably we should
|
|
cannam@49
|
267 // deprecate this usage and instead define a new helper type for this exact purpose.
|
|
cannam@49
|
268
|
|
cannam@49
|
269 return &localCapTable;
|
|
cannam@49
|
270 }
|
|
cannam@49
|
271
|
|
cannam@49
|
272 SegmentBuilder* getSegment(SegmentId id);
|
|
cannam@49
|
273 // Get the segment with the given id. Crashes or throws an exception if no such segment exists.
|
|
cannam@49
|
274
|
|
cannam@49
|
275 struct AllocateResult {
|
|
cannam@49
|
276 SegmentBuilder* segment;
|
|
cannam@49
|
277 word* words;
|
|
cannam@49
|
278 };
|
|
cannam@49
|
279
|
|
cannam@49
|
280 AllocateResult allocate(WordCount amount);
|
|
cannam@49
|
281 // Find a segment with at least the given amount of space available and allocate the space.
|
|
cannam@49
|
282 // Note that allocating directly from a particular segment is much faster, but allocating from
|
|
cannam@49
|
283 // the arena is guaranteed to succeed. Therefore callers should try to allocate from a specific
|
|
cannam@49
|
284 // segment first if there is one, then fall back to the arena.
|
|
cannam@49
|
285
|
|
cannam@49
|
286 SegmentBuilder* addExternalSegment(kj::ArrayPtr<const word> content);
|
|
cannam@49
|
287 // Add a new segment to the arena which points to some existing memory region. The segment is
|
|
cannam@49
|
288 // assumed to be completley full; the arena will never allocate from it. In fact, the segment
|
|
cannam@49
|
289 // is considered read-only. Any attempt to get a Builder pointing into this segment will throw
|
|
cannam@49
|
290 // an exception. Readers are allowed, however.
|
|
cannam@49
|
291 //
|
|
cannam@49
|
292 // This can be used to inject some external data into a message without a copy, e.g. embedding a
|
|
cannam@49
|
293 // large mmap'd file into a message as `Data` without forcing that data to actually be read in
|
|
cannam@49
|
294 // from disk (until the message itself is written out). `Orphanage` provides the public API for
|
|
cannam@49
|
295 // this feature.
|
|
cannam@49
|
296
|
|
cannam@49
|
297 // implements Arena ------------------------------------------------
|
|
cannam@49
|
298 SegmentReader* tryGetSegment(SegmentId id) override;
|
|
cannam@49
|
299 void reportReadLimitReached() override;
|
|
cannam@49
|
300
|
|
cannam@49
|
301 private:
|
|
cannam@49
|
302 MessageBuilder* message;
|
|
cannam@49
|
303 ReadLimiter dummyLimiter;
|
|
cannam@49
|
304
|
|
cannam@49
|
305 class LocalCapTable: public CapTableBuilder {
|
|
cannam@49
|
306 #if !CAPNP_LITE
|
|
cannam@49
|
307 public:
|
|
cannam@49
|
308 kj::Maybe<kj::Own<ClientHook>> extractCap(uint index) override;
|
|
cannam@49
|
309 uint injectCap(kj::Own<ClientHook>&& cap) override;
|
|
cannam@49
|
310 void dropCap(uint index) override;
|
|
cannam@49
|
311
|
|
cannam@49
|
312 private:
|
|
cannam@49
|
313 kj::Vector<kj::Maybe<kj::Own<ClientHook>>> capTable;
|
|
cannam@49
|
314 #endif // ! CAPNP_LITE
|
|
cannam@49
|
315 };
|
|
cannam@49
|
316
|
|
cannam@49
|
317 LocalCapTable localCapTable;
|
|
cannam@49
|
318
|
|
cannam@49
|
319 SegmentBuilder segment0;
|
|
cannam@49
|
320 kj::ArrayPtr<const word> segment0ForOutput;
|
|
cannam@49
|
321
|
|
cannam@49
|
322 struct MultiSegmentState {
|
|
cannam@49
|
323 kj::Vector<kj::Own<SegmentBuilder>> builders;
|
|
cannam@49
|
324 kj::Vector<kj::ArrayPtr<const word>> forOutput;
|
|
cannam@49
|
325 };
|
|
cannam@49
|
326 kj::Maybe<kj::Own<MultiSegmentState>> moreSegments;
|
|
cannam@49
|
327
|
|
cannam@49
|
328 SegmentBuilder* segmentWithSpace = nullptr;
|
|
cannam@49
|
329 // When allocating, look for space in this segment first before resorting to allocating a new
|
|
cannam@49
|
330 // segment. This is not necessarily the last segment because addExternalSegment() may add a
|
|
cannam@49
|
331 // segment that is already-full, in which case we don't update this pointer.
|
|
cannam@49
|
332
|
|
cannam@49
|
333 template <typename T> // Can be `word` or `const word`.
|
|
cannam@49
|
334 SegmentBuilder* addSegmentInternal(kj::ArrayPtr<T> content);
|
|
cannam@49
|
335 };
|
|
cannam@49
|
336
|
|
cannam@49
|
337 // =======================================================================================
|
|
cannam@49
|
338
|
|
cannam@49
|
339 inline ReadLimiter::ReadLimiter()
|
|
cannam@49
|
340 : limit(kj::maxValue) {}
|
|
cannam@49
|
341
|
|
cannam@49
|
342 inline ReadLimiter::ReadLimiter(WordCount64 limit): limit(limit / WORDS) {}
|
|
cannam@49
|
343
|
|
cannam@49
|
344 inline void ReadLimiter::reset(WordCount64 limit) { this->limit = limit / WORDS; }
|
|
cannam@49
|
345
|
|
cannam@49
|
346 inline bool ReadLimiter::canRead(WordCount amount, Arena* arena) {
|
|
cannam@49
|
347 // Be careful not to store an underflowed value into `limit`, even if multiple threads are
|
|
cannam@49
|
348 // decrementing it.
|
|
cannam@49
|
349 uint64_t current = limit;
|
|
cannam@49
|
350 if (KJ_UNLIKELY(amount / WORDS > current)) {
|
|
cannam@49
|
351 arena->reportReadLimitReached();
|
|
cannam@49
|
352 return false;
|
|
cannam@49
|
353 } else {
|
|
cannam@49
|
354 limit = current - amount / WORDS;
|
|
cannam@49
|
355 return true;
|
|
cannam@49
|
356 }
|
|
cannam@49
|
357 }
|
|
cannam@49
|
358
|
|
cannam@49
|
359 // -------------------------------------------------------------------
|
|
cannam@49
|
360
|
|
cannam@49
|
361 inline SegmentReader::SegmentReader(Arena* arena, SegmentId id, kj::ArrayPtr<const word> ptr,
|
|
cannam@49
|
362 ReadLimiter* readLimiter)
|
|
cannam@49
|
363 : arena(arena), id(id), ptr(ptr), readLimiter(readLimiter) {}
|
|
cannam@49
|
364
|
|
cannam@49
|
365 inline bool SegmentReader::containsInterval(const void* from, const void* to) {
|
|
cannam@49
|
366 return from >= this->ptr.begin() && to <= this->ptr.end() && from <= to &&
|
|
cannam@49
|
367 readLimiter->canRead(
|
|
cannam@49
|
368 intervalLength(reinterpret_cast<const byte*>(from),
|
|
cannam@49
|
369 reinterpret_cast<const byte*>(to)) / BYTES_PER_WORD,
|
|
cannam@49
|
370 arena);
|
|
cannam@49
|
371 }
|
|
cannam@49
|
372
|
|
cannam@49
|
373 inline bool SegmentReader::amplifiedRead(WordCount virtualAmount) {
|
|
cannam@49
|
374 return readLimiter->canRead(virtualAmount, arena);
|
|
cannam@49
|
375 }
|
|
cannam@49
|
376
|
|
cannam@49
|
377 inline Arena* SegmentReader::getArena() { return arena; }
|
|
cannam@49
|
378 inline SegmentId SegmentReader::getSegmentId() { return id; }
|
|
cannam@49
|
379 inline const word* SegmentReader::getStartPtr() { return ptr.begin(); }
|
|
cannam@49
|
380 inline WordCount SegmentReader::getOffsetTo(const word* ptr) {
|
|
cannam@49
|
381 return intervalLength(this->ptr.begin(), ptr);
|
|
cannam@49
|
382 }
|
|
cannam@49
|
383 inline WordCount SegmentReader::getSize() { return ptr.size() * WORDS; }
|
|
cannam@49
|
384 inline kj::ArrayPtr<const word> SegmentReader::getArray() { return ptr; }
|
|
cannam@49
|
385 inline void SegmentReader::unread(WordCount64 amount) { readLimiter->unread(amount); }
|
|
cannam@49
|
386
|
|
cannam@49
|
387 // -------------------------------------------------------------------
|
|
cannam@49
|
388
|
|
cannam@49
|
389 inline SegmentBuilder::SegmentBuilder(
|
|
cannam@49
|
390 BuilderArena* arena, SegmentId id, kj::ArrayPtr<word> ptr, ReadLimiter* readLimiter,
|
|
cannam@49
|
391 size_t wordsUsed)
|
|
cannam@49
|
392 : SegmentReader(arena, id, ptr, readLimiter), pos(ptr.begin() + wordsUsed), readOnly(false) {}
|
|
cannam@49
|
393 inline SegmentBuilder::SegmentBuilder(
|
|
cannam@49
|
394 BuilderArena* arena, SegmentId id, kj::ArrayPtr<const word> ptr, ReadLimiter* readLimiter)
|
|
cannam@49
|
395 : SegmentReader(arena, id, ptr, readLimiter),
|
|
cannam@49
|
396 // const_cast is safe here because the member won't ever be dereferenced because it appears
|
|
cannam@49
|
397 // to point to the end of the segment anyway.
|
|
cannam@49
|
398 pos(const_cast<word*>(ptr.end())),
|
|
cannam@49
|
399 readOnly(true) {}
|
|
cannam@49
|
400 inline SegmentBuilder::SegmentBuilder(BuilderArena* arena, SegmentId id, decltype(nullptr),
|
|
cannam@49
|
401 ReadLimiter* readLimiter)
|
|
cannam@49
|
402 : SegmentReader(arena, id, nullptr, readLimiter), pos(nullptr), readOnly(false) {}
|
|
cannam@49
|
403
|
|
cannam@49
|
404 inline word* SegmentBuilder::allocate(WordCount amount) {
|
|
cannam@49
|
405 if (intervalLength(pos, ptr.end()) < amount) {
|
|
cannam@49
|
406 // Not enough space in the segment for this allocation.
|
|
cannam@49
|
407 return nullptr;
|
|
cannam@49
|
408 } else {
|
|
cannam@49
|
409 // Success.
|
|
cannam@49
|
410 word* result = pos;
|
|
cannam@49
|
411 pos = pos + amount;
|
|
cannam@49
|
412 return result;
|
|
cannam@49
|
413 }
|
|
cannam@49
|
414 }
|
|
cannam@49
|
415
|
|
cannam@49
|
416 inline void SegmentBuilder::checkWritable() {
|
|
cannam@49
|
417 if (KJ_UNLIKELY(readOnly)) throwNotWritable();
|
|
cannam@49
|
418 }
|
|
cannam@49
|
419
|
|
cannam@49
|
420 inline word* SegmentBuilder::getPtrUnchecked(WordCount offset) {
|
|
cannam@49
|
421 return const_cast<word*>(ptr.begin() + offset);
|
|
cannam@49
|
422 }
|
|
cannam@49
|
423
|
|
cannam@49
|
424 inline BuilderArena* SegmentBuilder::getArena() {
|
|
cannam@49
|
425 // Down-cast safe because SegmentBuilder's constructor always initializes its SegmentReader base
|
|
cannam@49
|
426 // class with an Arena pointer that actually points to a BuilderArena.
|
|
cannam@49
|
427 return static_cast<BuilderArena*>(arena);
|
|
cannam@49
|
428 }
|
|
cannam@49
|
429
|
|
cannam@49
|
430 inline kj::ArrayPtr<const word> SegmentBuilder::currentlyAllocated() {
|
|
cannam@49
|
431 return kj::arrayPtr(ptr.begin(), pos - ptr.begin());
|
|
cannam@49
|
432 }
|
|
cannam@49
|
433
|
|
cannam@49
|
434 inline void SegmentBuilder::reset() {
|
|
cannam@49
|
435 word* start = getPtrUnchecked(0 * WORDS);
|
|
cannam@49
|
436 memset(start, 0, (pos - start) * sizeof(word));
|
|
cannam@49
|
437 pos = start;
|
|
cannam@49
|
438 }
|
|
cannam@49
|
439
|
|
cannam@49
|
440 inline void SegmentBuilder::tryTruncate(word* from, word* to) {
|
|
cannam@49
|
441 if (pos == from) pos = to;
|
|
cannam@49
|
442 }
|
|
cannam@49
|
443
|
|
cannam@49
|
444 inline bool SegmentBuilder::tryExtend(word* from, word* to) {
|
|
cannam@49
|
445 // Careful about overflow.
|
|
cannam@49
|
446 if (pos == from && to <= ptr.end() && to >= from) {
|
|
cannam@49
|
447 pos = to;
|
|
cannam@49
|
448 return true;
|
|
cannam@49
|
449 } else {
|
|
cannam@49
|
450 return false;
|
|
cannam@49
|
451 }
|
|
cannam@49
|
452 }
|
|
cannam@49
|
453
|
|
cannam@49
|
454 } // namespace _ (private)
|
|
cannam@49
|
455 } // namespace capnp
|
|
cannam@49
|
456
|
|
cannam@49
|
457 #endif // CAPNP_ARENA_H_
|
